Embed Size (px)
Citation preview
Everything is under NDA Unless otherwise stated.
Internet
ISP
(Mobile) Network Operators
Personal
Environment
and
Networks
Device
Device
Device
Device
Field
Gateway
Cloud Systems
Device
Cloud
Gateway
Device
LocalInteraction
MNO
Gateway
Cloud Portals and APIs
Mobile & WebInteraction
Control
System
Analytics
Data Management
Watches, Glasses, Work Tools,
Hearing Aids, Robotic
Assistance, …
Homes, Vehicles,
Vessels, Factories, Farms, Oil
Platforms, …
Vehicle Fleets, Sea Vessels, LV
Smart Grids, Cattle, …
Local
Gateway
Local Portals and APIs
Control
System
Analytics
Data Management
Electricity Distribution
Gas Distribution
Patient Tracking
Mobile Care
Safety Management
Climate Control
Lighting
Energy Management
Drinking Water
Waste Water
Pollution Control
Fire Protection
Medical Emergency
Public Order
Energy
Toll Collection
Traffic Flow
Air Traffic Control
Bus/Tram/Train
Traffic Alerts
Street Quality
MobilityCity HealthBuildings
Flood Control
Solid Waste
Air Quality
Lifts and Escalators
Signage
Water Wind/Solar/Geothermal
Fuel Distribution
Power Plants
Nuclear Waste
Oil/Gas Production
Coal Mining
OR Equipment
Vital Monitoring
Implants
Disability Aids
Lab Equipment
Radiology Equipment
Rule Enforcement
Airports
Taxi
Diabetes
IT engineers know how to make digital things secure.
Secure Development Lifecycle
Secure Network Technologies
Threat & Vulnerability Mitigation
Monitoring and Alerting
Software/Firmware Auto-Updates
Privacy Models
OT engineers knows how to make physical things safe and secure
Standards, Procedures, Training, Continuous Improvement
Physical access management
Hazard and Risk Analysis
Monitoring and Maintenance
Fail Safe and Safety Equipment
Best Practice: IT and OT engineers collaborate in making
“cyberphysical” systems safe and secure.
Security Development Lifecycle & Operational Security Assurance
Network and Identity Isolation
Vulnerability / Update Management
Least Privilege / Just-in-Time (JIT) Access
Respond
Protect
Auditing and Certification
Live Site Penetration Testing
Fraud and Abuse Detection
Centralized Logging and MonitoringDetect
Breach Containment
Coordinated Security Response
Customer Notification
Policies, Procedures, Guidance
Cloud Field Gateways Devices
Physical
Global Network
Identity and Access Control
Application
Data
Physical Physical
Local Network Local Network
EdgeApplication
Data Data
HostHostHost
Data Privacy Protection and Controls
People and Device Identity
Federation, Data Attestation
Trustworthy Platform Hardware,
Signed Firmware, Secure Boot/Load
Secure Networks, Transport and
Application Protocols, Segmentation
Tamper/Intrusion Detection
Physical Access Security
IoT Sweet Spot $1000 PCs$400 Phones
Cost
Computational Capabilities
Memory/Storage Capacity
Energy Consumption/Source
$1
Sensor
$10000
Server
Component Quality
Device
Device
Device
Device
LocalInteraction
Local
Gateway
Local Portals and APIs
Control
System
Analytics
Data Management
PLC
VPN
LAN LAN
Service
Desk
Machine
Control
LogicOperator
Configuration
S,R
T,I,D
T,I,D T,I,D
T,I,D
T,I,D
T,I,D
S,T,R,I,D,ES,T,R,I,D,E
T,R,I,D
• Spoofing
• Tampering
• Repudiation
• Information Disclosure
• Denial of Service
• Elevation of Privilege
PLC
Service
Desk
Machine
Control
LogicOperator
Configuration
T,I
T,I
• Spoofing
• Tampering
• Repudiation
• Information Disclosure
• Denial of Service
• Elevation of Privilege
… and they even broaden the attack surface area by fusing the networks
Not a whole lot …
Service
Desk
Machine
Control
LogicOperator
Configuration
T,I
T,I
1. Own This 2. Own That
Vehicle
Diagnostics
Entertainment
Control
CA
N B
US /
“Te
lem
ati
cs B
ox”
VP
N G
ate
way
ERP
CRMFleet,
Vehicle,
and
Driver
Solutions…
…MN
O P
riva
te A
PN
Pu
blic
AP
N
Vehicle Vehicle
Vehicle Vehicle
Own one, own
them all
More issues:
+ Addressing and Discovery
+ Temporal Coupling
Will you defend a million tiny,
underpowered, public network servers that
must triage unsolicited traffic?
Or do you think they could use some help with
defense?
(CG)NAT
Firewall
Router
Isolated
Network
Service
GatewayClient
Port Mapping is
automatic,
outbound
Device does not
actively listen for
unsolicited traffic
No inbound ports
open, attack surface
is minimized
Public address, full
and well defendable
server platform
Q
Q
Device Identity
Registry/Directory
Connections are device-
initiated and outbound
Field
Gateway
Access Control
Policies
(CG)NAT
Firewall
Router
Mobile Cell
Service
Gateway
Q
Q(CG)NAT
Router
Mobile Cell
Temporal Decoupling
Logical Addressing
• Device Authentication
• Authorization (Access Policy Enforcement)
• DoS Defense
• Application Layer Integration (vs. Link/Network)Mobile
Backend
TrustDevice Identity
Registry/Directory
Access Policies
Berlin
2
Tokens
Token expresses current
membership of the device in
the solution context.
Asymmetrically signed by
directory. Cacheable. Expires
periodically.
Datacenter(“Cloud”)Vehicle
Diagnostics
Entertainment
Control CA
N B
US /
“Te
lem
ati
cs B
ox”
Tele
mati
cs G
ate
way
ERP
CRM
Fleet,
Vehicle,
and Driver
Solutions
…
…
Control
Value-Add Services, Analysis and Optimization
Servicing
Hard real-time
Near real-time
AMQP 1.0 Link
Bi-Directional
Secure
Reliable Transfer
Application Level
No Peer Exposure
Device
Device
Device
Device
OPC UA
Gateway
Cloud Systems
Cloud
Gateway
Cloud Portals and APIs
Control
System
Analytics
Data Management
Local
Gateway
Local Portals and APIs
Control
System
Analytics
Data Management
AMQP 1.0 Link
Bi-Directional
Secure
Reliable Transfer
Application Level
No Inbound Ports
30
SMART
PHONE:
64 3rd PartyCOMPONENTS
THERMOSTAT
7 3rd PartyCOMPONENTS
BABY
MONITOR:
11 3rd PartyCOMPONENTS
WI-FI AP:
35 3rd PartyCOMPONENTS
ROUTER:
102 3rd PartyCOMPONENTS
ACTION
CAMCORDER:
21 3rd PartyCOMPONENTS
SMART TV:
12 3rd PartyCOMPONENTS
MULTIFUNCTION
PRINTER:
16 3rd PartyCOMPONENTS
INFUSION
PUMP:
3 3rd PartyCOMPONENTS
SMART CAR
INFOTAINMENT:
107 3rd PartyCOMPONENTS
SECURITY
CAMERA:
21 3rd PartyCOMPONENTS
SMART
SOCKET:
4 3rd PartyCOMPONENTS
31
Points of Interest:
“Flat-panel LCD TVs have a lifespan approaching 100,000 hours on average” – this is over 11 years!!!
Smart TVs have one (1) year product cycle. Software from newer models doesn’t often run in older models due to HW differences
Latest available SW is affected by 584 unique CVEs as of March 1, 2015
At which point consumer should determine that product is no longer sage to use?
(* date may not be fully accurate, as e.g. partial OTA updates may have been delivered after this date as well ( see sec. update on Nov 2014)
0
100
200
300
400
500
600
700
32
11
/1/2
023
Nov 2023. End of 100.000 hours
average lifespan of LCD TV screen.
Today. March 1, 2015.
584 unique CVEs in 23
components
7 more years of expected
operation of the LCD TV
( based on 100,000 hours average lifespan )
2012 Smart TV lineup
launched:
Nov/Dec 2011
8 years
Last firmware / SW update:
Mar 2013*
Approx. 178 unique CVEs
affecting product at the
moment of SW EoL
No
v 2
014: se
curi
ty u
pd
ate
to
patc
h c
url
, o
pen
ssl,
flash
_pla
yer,
ffm
peg
, lib
pn
gan
d f
reety
pe
Approx. 0.58 new CVEs / day
over the course of 23 months
Estimated
2276 CVEs
affecting Product
by Nov 2023 based
on historic 0.58 CVEs
per day
(* date may not be fully accurate, as e.g. partial OTA updates may have been delivered after this date as well ( see sec. update on Nov 2014)
One year standard
warranty for parts
and labor from the
date of purchase
One year product cycle
33
34
Time
Series
and
State
Storage
Event
Storage
Real
Time
Analytics
Device Software
Management
Device Identity
Management
x Millions
x GByte/sec
Data FlowConnectivity
x PByte
Historic
and
Predictive
Analytics
HTTPS
AMQPS
IoT Hub
Identity Registry
Device
ManagementProvisioning
IoT Hub
Gateway
HTTPS,
AMQPS,
MQTTS
Data and Command Flow
Per-devicecommand
queues
Event Hub
Self-
Hosted
Gateway
MQTT,
Custom
Field
Gateway
OPC UA,
CoAP,
AllJoyn,
…
M
MM
APIs
OSS Device SDKs
Management
Communication
Provisioning
HTTPS
AMQPS
IoT Hub
Identity Registry
Device
ManagementProvisioning
IoT Hub
Gateway
HTTPS,
AMQPS,
MQTTS
Data and Command Flow
Per-devicecommand
queues
Event Hub
Self-
Hosted
Gateway
MQTT,
Custom
Field
Gateway
OPC UA,
CoAP,
AllJoyn,
…
M
MM
APIs
OSS Device Agents
Management
Communication
Provisioning
Hyper-Scale Identity
Registry for millions of
devices per IoT Hub
Can federate identity with
and via Azure Active
Directory
HTTPS
AMQPS
IoT Hub
Identity Registry
Device
ManagementProvisioning
IoT Hub
Gateway
HTTPS,
AMQPS,
MQTTS
Data and Command Flow
Per-devicecommand
queues
Event Hub
Self-
Hosted
Gateway
MQTT,
Custom
Field
Gateway
OPC UA,
CoAP,
AllJoyn,
…
M
MM
APIs
OSS Device Agents
Management
Communication
Provisioning
Native support for Service Assisted
Communication model, potentially
holding millions of concurrent bi-
directional connections.
AMQP 1.0 (with WebSockets), HTTP/2
Secure by Principle.
IoT Hub does not permit insecure
connections. TLS is always enforced.
TLS/X509 initially; TLS/PSK & TLS/RPK on
roadmap for compute-constrained
devices and bandwidth limited or
expensive metered links.
HTTPS
AMQPS
IoT Hub
Identity Registry
Device
ManagementProvisioning
IoT Hub
Gateway
HTTPS,
AMQPS,
MQTTS
Data and Command Flow
Per-devicecommand
queues
Event Hub
Self-
Hosted
Gateway
MQTT,
Custom
Field
Gateway
OPC UA,
CoAP,
AllJoyn,
…
M
MM
APIs
OSS Device Agents
Management
Communication
Provisioning
Channel-level authentication and
authorization against the gateway
Validation of signatures against
identity registry and blacklists (for
signature tokens)
All messages are tagged with
originator on service side allowing
detection of in-payload origin
spoofing attempts
HTTPS
AMQPS
IoT Hub
Identity Registry
Device
ManagementProvisioning
IoT Hub
Gateway
HTTPS,
AMQPS,
MQTTS
Data and Command Flow
Per-devicecommand
queues
Event Hub
Self-
Hosted
Gateway
MQTT,
Custom
Field
Gateway
OPC UA,
CoAP,
AllJoyn,
…
M
MM
APIs
OSS Device Agents
Management
Communication
Provisioning
Device management
foundation capabilities for
device state inventory and
update delivery
Device management
foundation capabilities for
device state inventory and
update delivery
Policies, Procedures, Guidance
Cloud Field Gateways Devices
Physical
Global Network
Identity and Access Control
Application
Data
Physical Physical
Local Network Local Network
EdgeApplication
Data Data
HostHostHost
STRIDE
STRIDE
STRIDE
STRIDE
STRIDE
http://azure.microsoft.com/en-us/support/trust-center/
ISO 27001/27002SOC 1/SSAE 16/ISAE 3402 and SOC 2Cloud Security Alliance CCMFedRAMPFISMAFBI CJIS (Azure Government)
PCI DSS Level 1United Kingdom G-CloudAustralian Government IRAPSingapore MTCS StandardHIPAACDSAEU Model Clauses
Food and Drug Administration 21 CFR Part 11FERPAFIPS 140-2CCCPPFMLPS
Visio version
PDF version
